DroidLogger: Reveal suspicious behavior of Android applications via instrumentation

As the mobile devices increased rapidly in recent years, mobile malware is becoming a severe threat to users. Traditional malware detection uses signature-based methods, but these methods can be evaded by obfuscation or polymorphism. So the behavior-based detection techniques were proposed recently. To capture the apps´ behavior, previous works either use OS level tool such as strace to capture system call, or intercept high level API by modifying the virtual machine. However, the information retrieved from the former method is too difficult to understand the program´s behavior, and the technique used in latter method requires to modify the emulator, which it is not compatible when the Android version upgrade. In this paper, we proposed a new light-weight method to understand the applications´ behavior by logging program´s API and corresponding arguments. We build the logging system DroidLogger, which instruments the logging code into the application binary, and prints out the API usage information at run time. We analyzed several malware and show DroidLogger can reveal the malicious behavior effectively.